Staff: Mentor

Bloomberg reports that, according to “two people familiar with the matter,” the NSA has known about the Heartbleed vulnerability for at least two years—and was exploiting it to collect information about people instead of informing those vulnerable and getting it fixed.

According to Slate, "In early 2012 Heartbleed was mistakenly introduced into the code for OpenSSL, an open-source software component for certain popular types of encryption. It would make sense if the NSA found it soon after, because—in addition to using its influence to weaken new or existing encryption—the agency also spends millions of dollars looking for software vulnerabilities that already exist around the Web, especially in open-source code that is more likely to have inconsistent oversight, and therefore bigger errors."

I guess if I wanted to collect a lot of user data right now, a good way would be set up a website where people can enter their the user names and passwords and have them checked to see if they have been stolen